Your message dated Wed, 05 Dec 2007 20:47:25 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#453652: fixed in rsync 2.6.9-5.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: rsync
Version: 2.6.3-1
Severity: important
Tags: patch security
Hi,
the new rsync upstream release fixes two security bugs which
can be exploited via a symlink attack.
"1. Daemon advisory for "use chroot = no"
If you are running a writable rsync daemon with "use chroot = no", there is at
least one way for someone to trick rsync into creating a symlink that points
outside of the module's hierarchy.
This means that if you are allowing access from users who you don't trust, that
you should either figure out a way to turn on "use chroot", or configure the
daemon to refuse the --links option (see "refuse options" in the rsyncd.conf
manpage) which will disable the ability of the rsync module to receive
symlinks. After doing so, you should also check that any existing symlinks in
the daemon hierarchy are safe.
Starting with the 3.0.0-pre6 release, there is a new daemon option available:
"munge symlinks". This allows an rsync daemon to accept symlinks and return
them intact (with even a leading slash still there, which is new for a
non-chroot daemon), but will not allow the symlinks to be used while they are
in the daemon's hierarchy. For those running 2.6.9, there is a patch to
implement this option.
Any admin applying that patch should read the "munge symlinks" section of the
modified rsyncd.conf manpage for more information. You can also read about this
option in the rsyncd.conf manpage from the 3.0.0pre6 release.
2. Daemon advisory for daemon excludes
If you are running a writable rsync daemon that is using one of the "exclude",
"exclude from", or "filter" options in the rsyncd.conf file to hide data from
your users, you should be aware that there are tricks that a user can play with
symlinks and/or certain options that can allow a user that knows the name of a
hidden file to access it or overwrite it (if file permissions allow that).
You can avoid the symlink problem using the suggestions in the advisory above.
You can avoid the problems with other options by putting the following "refuse
options" setting into your rsyncd.conf file:
refuse options = --*-dest --partial-dir --backup-dir
An upcoming release of rsync 3.0.0 will hopefully fix the daemon-exclude
validation of these options to make this unnecessary, but this has not yet been
implemented.
If you combine the above refuse options with the prior suggestion to refuse
--links, that would give you this list of options (included here for easier
copy/pasting):
refuse options = --links --*-dest --partial-dir --backup-dir"
See: http://rsync.samba.org/security.html#s3_0_0
A patch can be found on:
http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff
A CVE id for this issue is currently pending, I will add it to the bug report.
If you fix the package after I got it please include the CVE id in the changelog
then.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp3VbLNVM72a.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: rsync
Source-Version: 2.6.9-5.1
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive:
rsync_2.6.9-5.1.diff.gz
to pool/main/r/rsync/rsync_2.6.9-5.1.diff.gz
rsync_2.6.9-5.1.dsc
to pool/main/r/rsync/rsync_2.6.9-5.1.dsc
rsync_2.6.9-5.1_i386.deb
to pool/main/r/rsync/rsync_2.6.9-5.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 03 Dec 2007 17:00:37 +0100
Source: rsync
Binary: rsync
Architecture: source i386
Version: 2.6.9-5.1
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
rsync - fast remote file copy program (like rcp)
Closes: 453652
Changes:
rsync (2.6.9-5.1) unstable; urgency=high
.
* Non-maintainer upload by testing-security team.
* This update addresses the following security issues (Closes: #453652):
- When "use chroot" option is disabled, a programming error
can be exploited by a user to trick rsync into creating a
symlink that points outside the module's hierarchy.
- A programming error within the "exclude", "exclude from" and "filter"
options can be exploited via a symlink attack to gain access
to hidden files if the filename is known.
Files:
28b881c85ed620afe5c103426fc49841 560 net optional rsync_2.6.9-5.1.dsc
61ea40dae091ed44153bbaa5a7424145 43173 net optional rsync_2.6.9-5.1.diff.gz
0b663b41fea99d27fe2c06a53783e0c8 258652 net optional rsync_2.6.9-5.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVwOQHYflSXNkfP8RAmhvAJ0ZH0nIwWCdM35g+A9j6ZWMlZLMNACdETh7
C5ig0ObWVRIMIMZhjm9pWFM=
=cTQF
-----END PGP SIGNATURE-----
--- End Message ---
